Just like Capacity management and availability management, it needs a dedicated team (or person), with the expertise and tools necessary to execute all activities under their responsibility.

So here we are establishing a security management function but I see myself doing the exact same things I always do in order to establish a process: Requirements workshops, documentation, training...

My question is: How do you guys deal with theses functions in your organizations? Am I missing something?

Cheers!

I tend to agree that you need to find the right personnel to run the security management function but they're going to need some security policies as parameters for their work. Start off by establishing these.

Might be wrong, but I thought functions are defined / staffed based on organizational needs. In my previous life we had many people dedicated to each process area. Heck, I was one of eight in the Business Continuity Program Office (function) that performed IT Service Continuity Management (process) and other BCI related activities (like crisis management).

Think my point is you need people to follow the process, and they may solely be assigned that process if the business environment requires it.

IMHO you need the process that should have several workflows showing inputs, outputs, triggers.

Obviously you have business requirements for security management, industry best practices, and procedures for your tools (which would be supporting documentation). You may have other requirements such as CISSP or Security+ certifications to perform or manage the process.

Back to my earlier post, if it makes business sense create an Information Security (or Information Assurance) department and staff it with qualified people. Develop the ITIL process that they should follow and ensure your Roles / RASCI are defined with your workflow processes.

I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.

Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)

The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.

I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.

Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)

The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.

Cheers!

You're wrong.....ITIL can't be that prescriptive or specific without being too narrow and outdated before it's published. ITIL gives you a framework of good practice to use or put aside as suits your needs. The fact that it doesn't tell you chapter and verse how to implement and manage functions/processes/tools is neither here nor there........ITIL Management qualifications used to require that candidates had 5 years prior service management experience before sitting the exams - I can see how removing this criteria leaves a lot of folks with the qualifications but no clue what to do with them.

Finally, you talk about Service Desk as if they do all those things in all organisations.....they don't